Software Security Report Found That Over Three-Quarters of Applications Have at Least One Security Flaw – CPO Magazine

Veracode releasedthis yearsState ofSoftware Security (SOSS) Volume11 report, which revealed that most applications have at least one security flaw. The report also found that software teams take about six months to fix half of the security flaws discovered.

SOSS 11 found that software teams have control over some factors, while others were beyond their control. Veracode categorized these factors as nature vs. nurture.

The report analyzed over 130,000 active applications from the companys base of over 2,500 clients.

Over three-quarters (75.8%) of applications have at least one security flaw, while 23.7% havehigh severity flaws.

About 60% of applications tested have at least one vulnerability appearing on the OWASP Top 10 vulnerabilities. Another 59% contain at least one vulnerability, appearing on the SANS 25 list. Overall, OWASP and SANS vulnerabilities were present in 65.8% and 58.8% of tested software, respectively.

Open source libraries were a predisposing factor, according to Veracode. The report noted that 70% of applications transfer at least oneflaw from their opensource libraries.

Similarly,30% of applicationshave more flaws in theiropen source librariesthan in-house code. An example is the Instagram bug (CVE-2020-1895) originating from Mozjpeg open source library used in uploading pictures.

Multiplescan types can improve efficacyof DevSecOps, according to the SOSS 11 report. Software teams combining scan types such as dynamic analysis (DAST), static analysis (SAST), and software composition analysis (SCA) have higher fix rates. For example, teams applying SAST and DASTfix half of flaws 24 days faster.

Employing software security testing automation in the SDLC fixes half of theflaws 17.5 days faster.

Reducing security debt by fixing the backlog of known faults reduces software security risk, the report noted. Older applications with higher security flaws density take longer to fix, with an average of 63 more days required to close half of the flaws.

ChrisEng, Chief Research Officer at Veracode,said that software security aimed tofind and fixthe faults rather than write a perfect application.

Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools, Chris added.

The nature and severity of security flaws are unique to the programming language used in creating the application.

Overall, 59.3% of applications developed using C++ had high severity flaws. Other coding languages plagued with high severity bugs are PHP (52.6%), .NET (25.0%), and Java (23.8%). Python and JavaScript had the lowest high severity security flaws rate at 9.6 and 8.6%, respectively.

The most prevalent software security flaws per programming language were information leakage in .NET applications (62.8%), Cross-Site Scripting (XSS) in PHP (74.6%) and JavaScript (31.5%), CRLF Injection in Java (64.4%), and cryptographic issues in Python (35.0%). Error handling remained the most common security flaw in 66.5% of C++ applications.

The report authors recommended that software developers adopt secure coding practices and understand the most common type of flaws per language to increase software security.

#Security flaws are present in 76% of applications, and teams take over six months to fix half of them. #cybersecurity #respectdataClick to Tweet

While some software security flaws were more severe, for example, buffer overflow, they were rare.

Top security flaws include information leakage (65.9%), CRLF injection (65.4%), cryptographic issues (63.7%), and code quality (60.4%).While credentials management, insufficient input validation, directory transversal, and Cross-Site Scripting (XSS) had a prevalence of around 48%.

Read more:
Software Security Report Found That Over Three-Quarters of Applications Have at Least One Security Flaw - CPO Magazine